Phishing is a fraudulent email campaign that attempts to elicit confidential and/or financial information from unwitting victims. Also known as carding, phishing generally entails sending large numbers of emails with compelling reasons why the recipient should click on a link to an official-looking yet bogus website. Once there, the user is encouraged to input confidential information such as credit card, Social Security, and bank-account numbers. The email appears authentic, and may convey a message such as “the bank has lost some records and needs to verify some information.” To aid the user, the email typically provides a link to a Web based form that gathers the requested information. The form, while official looking and seemingly addressed to an official URL, channels the information to a third party. Before long, the confidential information has been misappropriated.
The cleverness of individuals conducting phishing campaigns is increasing at a dramatic rate. To illustrate just how clever phishing attacks can be, consider the phishing of PayPal®. Despite the deception being right in front of the analysts from the beginning, the solution took several days to realize. Instead of using the letter “l” in PayPal®, the perpetrator used a san serif numeral “1,” which looks the same. Phishing is as much an attack of con artists as it is hackers.
Besides the obvious threat to individual privacy that phishing represents, phishing can inflate customer service costs for ISPs and e-commerce businesses. A phishing attack notifying users that their credit card is about to expire and asking for a new input or verification of data can inundate a customer service center with calls.
The response to phishing has achieved limited success. Proposals for limiting phishing include email authentication techniques using antispam standards and scanning for “cousin” domains whereby trademark owners would be notified if a similar sounding URL or site contains spoofed content. Features such as Norton Privacy Control in Symantec's Norton Internet Security product help to stem the increasing number of phishing attacks by allowing users to identify confidential data that they wish to protect. Upon seeing the specific confidential data being transmitted via HTTP (via the web), instant messenger, or SMTP (via email), the user is notified of the pending release of confidential information and prompted to provide verification that the disclosure is authorized. Unfortunately, if a phishing attack is successful, the user believes that they are transmitting their confidential information to a reputable website, thus circumventing the intervention and authorizing the release of sensitive information to what is an illicit destination. Furthermore, current systems lack an ability to modify the level of protection of confidential information based on how the information is used.
There remains a clear need for an effective and automated way to protect confidential information from deceptive and fraudulent phishing campaigns. It would be desirable to recognize the attempted transmission of confidential information to illicit destinations prior to the information's release. It would also be desirable to adjust automatically the scrutiny of confidential information based on the usage of such information. The present invention addresses these and other problems, as well as provides additional benefits.